Effective date: July 6, 2026 · Last updated: July 6, 2026
NORVARCH ("NORVARCH", "we", "us", or "our") respects your privacy and is committed to protecting personal data with a standard of care appropriate to institutional counterparties, government entities, and high-net-worth individuals. This Privacy Policy explains, in plain language, what personal data we collect, why we collect it, how we use and share it, how long we keep it, how we transfer it across borders, and the rights available to you. It is written to align with the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), and comparable data-protection laws in other jurisdictions in which we operate.
1. Scope & our role
This Policy applies to personal data we process when you: visit our website; submit a contact or quote request; upload documents; apply for employment; or register for and use our client portal. For most processing described here, NORVARCH acts as a data controller (or "business" under CCPA/CPRA). Where we process data on behalf of a client under a services agreement, we act as a data processor (or "service provider"), and that client's instructions and privacy notice govern.
2. Personal data we collect
- Identity & contact data: name, email address, telephone number, employer/company, job title, and postal address.
- Enquiry & quote data: the content of your messages, project category, scope, budget, timeline, and any attachments you upload (PDF, DOC, DOCX, JPG, PNG).
- Account & portal data: login credentials (passwords are stored only in salted, hashed form), account settings, orders, invoices, payment records, support tickets, and messages.
- Verification / KYC data: where you or your institution engage us, identity-verification and know-your-customer documentation you choose to submit.
- Applicant data: CV/resume, cover materials, and contact details submitted through our careers page.
- Technical & usage data: IP address, device and browser type, pages visited, referring URLs, and cookie identifiers (see our Cookie Policy).
We do not intentionally collect special-category data (such as health, religion, or biometric data). Please do not submit such data unless we specifically request it for a lawful purpose.
3. How and why we use your data
- To respond to enquiries, prepare and issue quotations, and negotiate and perform contracts.
- To create, secure, and administer your client-portal account, and to process orders, invoices, and payments.
- To conduct identity, sanctions, anti-money-laundering (AML), and other compliance checks where required.
- To evaluate job applications and manage recruitment.
- To operate, maintain, secure, and improve our website and services, and to detect and prevent fraud or abuse.
- To comply with legal, regulatory, tax, accounting, and reporting obligations, and to establish, exercise, or defend legal claims.
4. Legal bases for processing (GDPR / UK GDPR)
Where GDPR or UK GDPR applies, we rely on one or more of the following legal bases: (a) performance of a contract or steps taken at your request before entering a contract; (b) legitimate interests in operating and growing our business, securing our systems, and communicating with prospective and existing clients, balanced against your rights; (c) compliance with a legal obligation, including AML/KYC and financial-reporting duties; and (d) your consent, where we ask for it (for example, non-essential cookies or optional marketing), which you may withdraw at any time.
5. Disclosure & sharing
We do not sell your personal data. We disclose it only in the following circumstances:
- Service providers (processors): hosting, email delivery, live-chat, payment processing, analytics, and IT-security vendors who act on our documented instructions under contractual confidentiality and data-protection terms.
- Professional advisers: auditors, lawyers, insurers, and consultants, bound by duties of confidentiality.
- Corporate transactions: in connection with a merger, acquisition, financing, or reorganisation, subject to appropriate safeguards.
- Legal & regulatory: where required by law, court order, or a competent authority, or to protect our rights, safety, or property.
6. International data transfers
We operate across multiple countries, and your personal data may be transferred to, stored in, or accessed from jurisdictions other than your own, including jurisdictions that may not provide the same level of protection as your home country. Where we transfer personal data internationally, we implement appropriate safeguards, such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Agreement/Addendum, or equivalent mechanisms, together with supplementary technical and organisational measures. You may request information about the specific safeguards we use by contacting us.
7. Data retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, tax, accounting, and regulatory requirements, and to resolve disputes. Typical periods: enquiry data is kept for the duration of the discussion and a reasonable follow-up period; contract, invoice, and AML/KYC records are kept for the periods mandated by applicable law (often several years after the relationship ends); uploaded files are deleted once no longer needed for the related request; applicant data is retained for a limited period after a recruitment decision unless you ask us to delete it sooner or consent to a longer talent-pool period. When data is no longer needed, we securely delete or anonymise it.
8. Security
We maintain technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure, or destruction. These include encryption in transit (HTTPS/TLS), salted and hashed password storage, access controls and least-privilege principles, network and file-access restrictions, logging, and vendor due diligence. No system is completely secure, and we cannot guarantee absolute security; however, we take these obligations seriously given the profile of our clients. If a personal-data breach is likely to result in a risk to your rights, we will notify affected individuals and the relevant supervisory authorities as required by law.
9. Your rights
Subject to applicable law, you may have the right to: access the personal data we hold about you; request correction of inaccurate data; request erasure ("right to be forgotten"); restrict or object to certain processing; request portability of data you provided to us; and withdraw consent where processing is based on consent. Where processing is based on legitimate interests or direct marketing, you may object at any time. To exercise any right, contact us using the details below; we may need to verify your identity before responding, and we will respond within the timeframes required by applicable law.
10. California privacy rights (CCPA/CPRA)
If you are a California resident, you have the right to know what personal information we collect, use, and disclose; to request access to and deletion of your personal information; to correct inaccurate personal information; and to be free from discrimination for exercising these rights. We do not "sell" or "share" personal information for cross-context behavioural advertising as those terms are defined under the CPRA. To submit a request, contact us using the details below; you may use an authorised agent, and we will verify requests as required.
11. Applicant & KYC/AML data
Recruitment data is used solely to assess your application and manage hiring. KYC/AML and sanctions-screening data is processed to meet legal and regulatory obligations and to manage risk; it is access-restricted, retained for legally mandated periods, and not used for marketing.
12. Children
Our website and services are intended for businesses and adults. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.
13. Changes to this Policy
We may update this Policy from time to time to reflect changes in law, technology, or our operations. We will post the updated version here with a new "Last updated" date, and where required by law we will provide additional notice.
14. Contact & complaints
For privacy questions or to exercise your rights, contact us at info@norvarch.com, or by post at 47 West 13th Street - NY USA. If you are in the EEA or UK and believe we have not addressed your concern, you may lodge a complaint with your local data-protection supervisory authority; we would, however, appreciate the chance to resolve it first.